GDPR vs Meta Platforms: The Rest of the Story. User Consent Must Be Provided
Recently, we have already talked about the difficulties faced by the tech giant Meta Platforms with European supervisory authorities (Irish DPC, European EDPB) and the prospects for further litigation regarding the illegal processing of users’ personal data, in particular, class actions. As it turned out, we were partially right and expectedly wrong about Facebook’s good faith.
In March 2023, Meta Platforms lost a class action lawsuit against the Dutch Data Privacy Stichting in an Amsterdam court, acting in conjunction with the Consumentenbond, the Dutch Consumers’ Association. Even so, Meta Platforms did not start using consent as a legal basis for processing user data to comply with the EDPB’s decision, choosing legitimate interest (Article 6(1)(f) GDPR).
Here’s a closer look at why the Amsterdam court’s decision is an important precedent and what conclusions can be drawn from it by anyone involved in profiling and targeted advertising on social media.
Contract as a legal basis for data processing
The EDPB disagreed with Facebook’s arguments regarding the necessity of collecting user data and consistently held the position, repeatedly highlighted in its guidelines, that a contract from the point of view of civil law and privacy law are not identical concepts and “necessity” is determined primarily based on the understanding offered by privacy law.
In particular, in its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, the EDBP noted that the concept of what is “necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law. Therefore, it also involves consideration of the fundamental right to privacy and protection of personal data, as well as the requirements of data protection principles including, notably, the fairness principle. The starting point is to identify the purpose for the processing, and in the context of a contractual relationship, there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated.”
Similarly, the Amsterdam court, referring to the explanations of the WP29 (predecessor of the EDPB), in paragraph 12.13.1 of the decision, noted that the contractual provisions “should be interpreted strictly and does not cover situations where the processing is not actually necessary for the performance of a contract, but rather is unilaterally imposed on the data subject by the controller. Also, the fact that the processing of certain data falls under an agreement does not automatically mean that the processing is necessary for its implementation. There is a clear link here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact reason behind the contract, i.e., its content and basic purpose, as this will be used to assess whether the data processing is necessary for the performance.”
Thus, the “necessity” of collecting personal data is determined not by the terms of the contract, but by the purpose of their processing, so the service and data processing (and the legal basis in the form of the contract with them) are within the scope of the purpose. If the data is necessary to achieve the latter, the criterion of “necessity” of collecting information is met. If not (but the need to provide data is provided for in the contract), then another legal basis, in particular, consent or legitimate interest, must be used.
Moreover, the EDPB also believes that the legitimate interest does not justify profiling on social media platforms (as now relied upon by Meta Platforms).
Because of this, it is pretty natural that Facebook’s arguments were perceived with scepticism by the Amsterdam court: in paragraph 12.16 of the judgment, the court concluded that “since the main and mutually understood purpose of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in the light of that purpose. It has not been stated or proven that offering a profile on the social network cannot actually be carried out if the processing of personal data for advertising purposes does not take place. It is therefore not certain that this would not be possible. It is therefore not objectively and actually necessary for Facebook Ireland to process a user’s personal data for advertising purposes in order to offer a profile on the social network of the Facebook platform.”.
Sensitive data at risk
In addition to the disqualification of the contract as a legal basis for data processing for advertising purposes, the case involved a challenge to the following aspects:
- violation of transparency obligations under Articles 5, 12, 13 and 14 of the GDPR, which consist in failing to provide users with sufficient information about some personal data processing operations;
- unlawful processing of special categories of personal data under Article 9 of the GDPR, including the lack of explicit consent;
Thus, investigating the issue of processing sensitive data for advertising purposes, the court determined in paragraph 13.14 of the judgment that Facebook offered advertisers such categories and subcategories of interests as health, religion and political or sexual orientation, which means that Facebook Ireland processed sensitive personal data of users for advertising purposes, tracking their behaviour and classifying the information obtained in this way. However, no explicit consent was obtained for this purpose. Relying on the EDBP’s explanation, the court noted that classifying users based on religion, philosophical beliefs or political views is considered to be the processing of sensitive personal data, regardless of the accuracy of the classification. Therefore, Meta was illegally processing this information.
It is also worth highlighting the following conclusions of the court in this case, which will affect further law enforcement practice on personal data protection.
Unfair commercial practices in the processing of personal data
The court noted (para. 5.17. of the judgment) that Facebook Ireland did not sufficiently inform the customers about the purpose for which and the manner in which personal data were processed when entering into the agreement to use the Facebook service. In addition, Facebook Ireland has not been sufficiently clear about its business model. Failure to inform (clearly enough) when entering into the agreement of the circumstance that the personal data that the consumer provides to Facebook Ireland to gain access to the Facebook service will also be used for advertising purposes in the manner in which this is done, should be regarded as a misleading omission of material information that would affect the average consumer – that is, the reasonably informed, prudent and observant consumer – needs to be able to make an informed decision about participating in the Facebook service.
Thus, the court rejected Facebook’s arguments that claims based on personal data protection requirements cannot be simultaneously considered unfair commercial practices, including failure to provide users with the necessary information. Therefore, according to the court, the GDPR and the EU Unfair Commercial Practices Directive can be applied simultaneously in the same case. The European Court of Justice formulated a similar conclusion regarding Meta Platforms in its judgment of 28.04.2022 (C-319-20).
Concerning tracking cookies, the court concluded that “it is undisputed that by placing cookies on third-party websites, information is exchanged between the user’s browser and the Facebook server.” (para. 14.14 of the judgment). Facebook may delegate the obligation to notify users of tracking cookies to a third party, i.e., a resource that directly uses them on its website. At the same time, Facebook must comply with the requirements of the law when processing personal data obtained through cookies. This means that personal data obtained through cookies must have a legal basis for processing. However, Facebook did not have such a lawful basis for processing personal data using cookies for advertising purposes.
Recovery of damages
When deciding on the possibility of recovering damages caused by the breach of privacy, the court referred to the difficulty of assessing them in monetary terms and noted (para. 18.5 of the judgment) that the plaintiff did not provide sufficient evidence that Facebook users had suffered a decrease in the value of their assets or an increase in their liabilities. Nevertheless, this issue may be the subject of a separate court proceeding.
Earlier, the UK court dismissed another class action lawsuit against Facebook for incorrect calculation of damages.
Meanwhile, the Dutch consumer association announced that it is preparing to file a second lawsuit against Meta Platforms.
As you know, it is better to learn from the mistakes of others than from your own. The judicial practice formed around social networks and tech giants determines the general discourse of law enforcement, which will soon begin to affect all other market participants that process personal data. Therefore, at the very least, it is worth drawing conclusions in advance and taking steps to prevent the mistakes of Meta Platforms that are under public scrutiny: carefully check whether your service or mobile application provides all the necessary information to users, whether the grounds for processing each type of information you process are correctly defined, whether you know what to do in case of a personal data breach, etc. If you have any doubts about the above points, contacting us for help and saving your time, money, and reputation is better.